After installing GDS, the following roles will exist in your MarkLogic server:
geo-data-services-readerprovides read-only access to service descriptors.geo-data-services-writerprovides full control over service descriptors.
It is recommended to create a MarkLogic user with the above roles along with the MarkLogic rest-extension-user role. That user can then be used when accessing GDS endpoints. For actions such as loading a TDE and loading a service descriptor, you should typically use an admin or admin-like user as those actions are performed during the application deployment process.
If you are using ml-gradle, you can define this user as a JSON file in your project’s src/main/ml-config/security/users directory and deploy it either via mlDeployUsers or mlDeploy.
Note that the above roles only control access to the GDS endpoints. They do not control which documents a user can query and update. Those operations are secured via standard MarkLogic document permissions.